linux/fs/f2fs
Jakob Koschel 2aaf51dd39 f2fs: fix dereference of stale list iterator after loop body
The list iterator variable will be a bogus pointer if no break was hit.
Dereferencing it (cur->page in this case) could load an out-of-bounds/undefined
value making it unsafe to use that in the comparision to determine if the
specific element was found.

Since 'cur->page' *can* be out-ouf-bounds it cannot be guaranteed that
by chance (or intention of an attacker) it matches the value of 'page'
even though the correct element was not found.

This is fixed by using a separate list iterator variable for the loop
and only setting the original variable if a suitable element was found.
Then determing if the element was found is simply checking if the
variable is set.

Fixes: 8c242db9b8 ("f2fs: fix stale ATOMIC_WRITTEN_PAGE private pointer")
Signed-off-by: Jakob Koschel <jakobkoschel@gmail.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
2022-04-25 15:13:03 -07:00
..
acl.c f2fs: support idmapped mounts 2022-02-12 06:20:46 -08:00
acl.h vfs: add rcu argument to ->get_acl() callback 2021-08-18 22:08:24 +02:00
checkpoint.c f2fs: fix wrong condition check when failing metapage read 2022-04-20 11:16:43 -07:00
compress.c Filesystem folio changes for 5.18 2022-03-22 18:26:56 -07:00
data.c f2fs: keep io_flags to avoid IO split due to different op_flags in two fio holders 2022-04-20 11:16:43 -07:00
debug.c f2fs: introduce gc_urgent_mid mode 2022-03-17 09:16:22 -07:00
dir.c f2fs-for-5.18 2022-03-22 10:00:31 -07:00
extent_cache.c f2fs: support fault injection for f2fs_kmem_cache_alloc() 2021-08-17 11:59:05 -07:00
f2fs.h f2fs: remove obsolete whint_mode 2022-04-20 11:16:43 -07:00
file.c f2fs: introduce data read/write showing path info 2022-04-25 15:13:03 -07:00
gc.c f2fs: don't set GC_FAILURE_PIN for background GC 2022-04-25 15:13:02 -07:00
gc.h f2fs: introduce gc_merge mount option 2021-03-30 18:48:56 -07:00
hash.c unicode: clean up the Kconfig symbol confusion 2022-01-20 19:57:24 -05:00
inline.c f2fs: move f2fs to use reader-unfair rwsems 2022-01-24 17:40:04 -08:00
inode.c f2fs: should not truncate blocks during roll-forward recovery 2022-04-21 18:57:09 -07:00
iostat.c f2fs: use iomap for direct I/O 2021-12-10 15:48:30 -08:00
iostat.h f2fs: introduce periodic iostat io latency traces 2021-08-23 10:25:51 -07:00
Kconfig f2fs: introduce F2FS_UNFAIR_RWSEM to support unfair rwsem 2022-03-04 09:15:53 -08:00
Makefile f2fs: separate out iostat feature 2021-08-23 10:25:51 -07:00
namei.c f2fs: fix to do sanity check on inline_dots inode 2022-04-25 15:13:03 -07:00
node.c f2fs: Get the superblock from the mapping instead of the page 2022-04-01 14:40:44 -04:00
node.h f2fs: add a way to limit roll forward recovery time 2022-02-12 05:58:18 -08:00
recovery.c f2fs-for-5.18 2022-03-22 10:00:31 -07:00
segment.c f2fs: fix dereference of stale list iterator after loop body 2022-04-25 15:13:03 -07:00
segment.h f2fs: introduce F2FS_IPU_HONOR_OPU_WRITE ipu policy 2022-02-07 11:28:35 -08:00
shrinker.c f2fs: avoid race condition for shrinker count 2020-12-03 00:59:26 -08:00
super.c f2fs: remove obsolete whint_mode 2022-04-20 11:16:43 -07:00
sysfs.c f2fs-for-5.18 2022-03-22 10:00:31 -07:00
verity.c f2fs: move f2fs to use reader-unfair rwsems 2022-01-24 17:40:04 -08:00
xattr.c f2fs: move f2fs to use reader-unfair rwsems 2022-01-24 17:40:04 -08:00
xattr.h f2fs: code cleanup by removing ifdef macro surrounding 2020-05-26 18:56:10 -07:00